Server, client, authentication system and user authentication and data access methodTechnical Field
The invention relates to the field of internet security, in particular to a server, a client, an authentication system and a user authentication and data access method.
Background
In order to provide a user authentication function, in the existing scheme, a corresponding device, such as a background server of a bank or a database server, is usually used to authenticate a combination of a user ID and a password uploaded by a client, so as to authenticate the user. However, in an application scenario with a high requirement on the level of security protection, it is still difficult to ensure security and reliability by relying on the combination of the user ID and the password alone, for example, there is a third-party tool that uses enumeration to crack the user ID and the password, and in a situation such as a user accidentally losing a notebook or a mobile phone recorded with the user ID and the password, the user ID and the password themselves may be revealed through various approaches. In order to solve the problem, an existing scheme adopts a mode that a corresponding device, such as a background server of a bank, sends a verification code to a mobile phone or a mailbox registered by a user through a wireless communication network and confirms that user authentication is successful after receiving the same verification code input by the user into a client, however, the mode still has potential safety hazard, that is, when the user carelessly loses the mobile phone serving as the client, if a user ID and a password for authentication are stored on the mobile phone, other people can still finish user authentication only through the mobile phone when picking up the lost mobile phone, and the authenticated user is not the registered user. In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a server, a client, an authentication system and a user authentication and data access method, which at least solve the technical problem of insufficient safety of the existing user authentication scheme.
According to an aspect of an embodiment of the present invention, there is provided a user authentication method, including: receiving a first message which is sent by a client and used for requesting authentication of a user of the client, wherein the first message carries first authentication information and second authentication information corresponding to the user, the first authentication information comprises input information of the user, and the second authentication information comprises card swiping information of the user; judging whether the first authentication information is matched with the second authentication information; and if the first authentication information is matched with the second authentication information, sending a second message for indicating successful authentication to the client.
According to another aspect of the embodiments of the present invention, there is also provided a data access method, including: when a client needs to access target data, acquiring first authentication information and second authentication information corresponding to a user of the client, wherein the first authentication information comprises input information of the user, and the second authentication information comprises card swiping information of the user; sending a first message for requesting authentication of the user to a server, wherein the first message carries the first authentication information and the second authentication information, and is used for enabling the server to return a second message for indicating successful authentication to the client when judging that the first authentication information is matched with the second authentication information; and when the second message is received, sending a message for requesting to access the target data to the corresponding equipment.
According to still another aspect of the embodiments of the present invention, there is also provided a server, including: a first receiving unit, configured to receive a first message that is sent by a client and used to request authentication of a user of the client, where the first message carries first authentication information and second authentication information corresponding to the user, where the first authentication information includes input information of the user, and the second authentication information includes card swiping information of the user; a determination unit configured to determine whether the first authentication information matches the second authentication information; and a first sending unit, configured to send a second message indicating that authentication is successful to the client when the first authentication information matches the second authentication information.
According to another aspect of the embodiments of the present invention, there is also provided a client, including: a first obtaining unit, configured to obtain first authentication information and second authentication information corresponding to a user of the client when access to target data is required, where the first authentication information includes input information of the user, and the second authentication information includes card swiping information of the user; a first sending unit, configured to send a first message used for requesting authentication of the user to a server, where the first message carries the first authentication information and the second authentication information, and is used to enable the server to return a second message used for indicating successful authentication to the client when it is determined that the first authentication information matches the second authentication information; and a second sending unit, configured to send, when receiving the second message, a message requesting access to the target data to a corresponding device.
According to another aspect of the embodiments of the present invention, there is also provided an authentication system including: the server described above; and one or more clients and the server are in data connection.
In the embodiment of the present invention, on one hand, a manner of determining whether first authentication information and second authentication information sent by a client are matched is adopted to authenticate a user of the client, and on the other hand, a manner of obtaining the first authentication information and the second authentication information by the client through different information obtaining channels is adopted, specifically, the first authentication information received by an authentication server may be input information input to the client by the user, such as a user ID, a password, a two-dimensional code, a fingerprint, and the like, and the second authentication information received may be card swiping information obtained by the client through a card swiping operation of the user, such as static data stored in an IC card or a button card, and the like. Through the mode, when the user authenticates through the mobile terminal serving as the client, the card swiping information needs to be provided besides the input information, so that the safety problem of the user after the mobile terminal is lost carelessly is solved, the safety and the reliability of the authentication system are improved, and the technical problem of insufficient safety of the existing user authentication scheme is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a schematic diagram of an alternative user authentication method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an alternative data access method according to an embodiment of the invention;
FIG. 3 is a schematic diagram of an alternative server according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an alternative client according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of an alternative authentication system according to an embodiment of the present invention;
fig. 6 is an interaction diagram of an alternative authentication system according to an embodiment of the present invention.
Detailed Description
The invention will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Example 1
According to an embodiment of the present invention, there is provided a user authentication method, as shown in fig. 1, the method including:
s102: receiving a first message which is sent by a client and used for requesting authentication of a user of the client, wherein the first message carries first authentication information and second authentication information corresponding to the user, the first authentication information comprises input information of the user, and the second authentication information comprises card swiping information of the user;
s104: judging whether the first authentication information is matched with the second authentication information;
s106: and if so, sending a second message for indicating that the authentication is successful to the client.
It should be clear that, one of the problems to be solved by the embodiments of the present invention is to provide a method for authenticating a client or a user thereof, where the client may be used to refer to a physical device, such as a personal computer as a fixed terminal or a smart phone, a tablet computer, etc., which is connected to a server and requests authentication and related services from the server, and may also be used to refer to a client application running on the physical device and its system, such as a login client issued by a bank system to the user, which does not affect understanding and implementation of the technical solution of the present invention and implementation of technical effects thereof, and the present invention is not limited thereto.
It should be noted that, in the embodiment of the present invention, the object to which the above authentication method is directed in a general sense may be a user of the client, that is, in practical applications, the authentication process performed by the method is not limited to a specific client device or client application, and the user as the authentication object may select any feasible device or application to complete authentication.
Further, in the embodiment of the present invention, the authentication process may be generally combined in a certain more complete operation flow, for example, the operation flow may be a complete payment process, and an authentication process needs to be added in the payment process as one of the steps, or the operation flow may also be a login process for a protected website, and an authentication process needs to be added in the login process as one of the steps, and the like. In summary, the present invention does not limit the specific application scenario of the above-mentioned authentication method provided by the embodiment, and in fact, in the embodiment of the present invention, based on the interactive interface provided in each of step S102 and step S106, it is convenient to design the front and back execution logic adapted to the authentication method in the above-mentioned complete operation flow to utilize the authentication result obtained by the method, so it should be understood that similar embodiments based on the embodiment of the present invention should be considered as being within the protection scope of the present invention.
In order to provide the above authentication function, in the existing scheme, generally, a corresponding device, such as a background server of a bank or a database server, is used to verify a combination of a user ID and a password uploaded by a client to authenticate a user, which on one hand avoids a security problem that may be caused by authenticating the user locally at the client and on the other hand is convenient for background management. However, in an application scenario with a high requirement on the level of security protection, it is still difficult to ensure security and reliability by relying on the combination of the user ID and the password alone, for example, there is a third-party tool that uses enumeration to crack the user ID and the password, and in a situation such as a user accidentally losing a notebook or a mobile phone recorded with the user ID and the password, the user ID and the password themselves may be revealed through various approaches. In order to solve the problem, an existing scheme adopts a mode that a corresponding device, such as a background server of a bank, sends a verification code to a mobile phone or a mailbox registered by a user through a wireless communication network and confirms that user authentication is successful after receiving the same verification code input by the user into a client, however, the mode still has potential safety hazard, that is, when the user carelessly loses the mobile phone serving as the client, if a user ID and a password for authentication are stored on the mobile phone, other people can still finish user authentication only through the mobile phone when picking up the lost mobile phone, and the authenticated user is not the registered user.
Based on the above problem, in the embodiment of the present invention, on one hand, a manner of determining whether the first authentication information and the second authentication information sent by the client are matched is adopted to implement authentication of the user of the client, and on the other hand, a manner of obtaining the first authentication information and the second authentication information by the client through different information obtaining channels is adopted, specifically, the first authentication information received by the authentication server may be input information input to the client by the user, such as a user ID, a password, a two-dimensional code, a fingerprint, and the like, and the second authentication information received may be card swiping information obtained by the client through a card swiping operation of the user, such as static data stored in an IC card or a button card, and the like. Through the mode, when the user authenticates through the mobile terminal serving as the client, the card swiping information needs to be provided besides the input information, so that the safety problem of the user after the mobile terminal is lost carelessly is solved, the safety and the reliability of the authentication system are improved, and the technical problem of insufficient safety of the existing user authentication scheme is solved.
The technical solution and the working principle of the present invention will be described with reference to the accompanying drawings and embodiments.
According to the authentication method provided by the embodiment of the present invention, in step S102, the authentication server may receive a first message sent by the client for requesting to authenticate the user of the client.
Generally, in the embodiment of the present invention, the server for providing the authentication service may be provided by a provider of a data management service, such as a banking system, where the data management service represents a data service that needs to be requested after the authentication of the client and the user thereof is successful, and the authentication server may also be provided by an operator as a third party, such as a partner of the banking system that specially provides the authentication service, where the partner may also cooperate with more than one bank or data platform and provide the authentication service for multiple parties, which is not limited by the present invention.
On the other hand, the server can provide the authentication service independently, or can provide the authentication service in combination with a distributed data management manner and a plurality of node servers together, which is related to the occupied processing resources and storage resources of the authentication service. For example, for a small-scale authentication system, the number of clients connected to the server and the number of users served by the server are relatively small, and the number of authentication information to be managed is relatively limited, so that both the storage of the authentication information and the processing of the authentication information can be completed by the same server, whereas for a large-scale authentication system, the number of clients connected to the server and the number of users served by the server are relatively large, and the number of authentication information to be managed is also large, in this case, the processing capability and storage resources that can be provided by one server are insufficient, so that the authentication service can also be provided by a distributed architecture, wherein the server directly interacting with the client may be a data warehouse server storing metadata information, and further the data warehouse server realizes the access to the authentication information stored in a plurality of data storage nodes, however, the present invention is not limited thereto.
On the other hand, in the embodiment of the present invention, the client may generally be a mobile terminal, such as a smart phone or a tablet computer, and due to the portable characteristic of the mobile terminal, the user may achieve the purpose of interacting with the server through the mobile terminal as the client at any time and any place, and may complete authentication and subsequent access to the target data through the mobile terminal, and then perform subsequent operations according to the authentication result and/or the data access result presented on the user interface of the mobile terminal. However, this is not meant to limit the present invention, for example, in some embodiments of the present invention, the user may also complete access to the target data through the fixed terminal, for example, in a scenario where the user performs online payment through a personal computer, the authentication of the user and the access to the related data of the payment platform may be both completed through the personal computer as the client, which does not affect the implementation of the technical solution of the present invention and the implementation of the technical effect thereof, and it should be understood that similar implementations belonging to equivalent transformations or obvious variations of the present invention should be considered to be within the scope of the present invention.
In addition, in the embodiment of the present invention, the first message may be generally embodied as a hypertext Transfer protocol (http) (hypertext Transfer protocol) message, but the present invention is not limited to this, for example, in some embodiments of the present invention, the first message may also be embodied as a file Transfer protocol (ftp) message, or other feasible messages or messages conforming to a text Transfer format, so that the server can correctly identify the first message and the content of the information carried by the first message. Accordingly, the second message … … and the like described in the embodiments of the present invention are applicable to similar explanations, and the present invention will not be described in a repeated manner. It should be noted that the terms "first", "second", … …, etc. in the embodiments of the present invention are merely used for descriptive distinction to facilitate understanding of the present invention, and should not be construed as limiting the relationship attributes such as sequence, position, importance degree, etc. of the plurality of elements.
On the basis of the above description, as described in step S102, the first message may carry first authentication information and second authentication information corresponding to the user, where the first authentication information may include input information of the user, and the second authentication information may include card swiping information of the user.
Specifically, in the embodiment of the present invention, the first authentication information may be input information of the user. Wherein the input information may comprise information content of at least one of: the input unit of the client for acquiring the input information may include at least one of the following elements: the present invention relates to a mouse, a keyboard, a touch screen, a scanner, a camera, a fingerprint sensor, a voice sensor, etc., which are not limited in any way.
On the other hand, in the embodiment of the present invention, the second authentication information may be card swiping information of the user. The card swiping information may also include a plurality of types, for example, most generally, the card swiping information may also include information content that the input information described above can include, but is not limited to, that the card swiping information is from an information carrier that the user holds, such as an IC card, a button card, and a radio frequency chip, and the information carrier may "swipe" the information stored therein in a wireless manner, and correspondingly, a specific communication method used for swiping information may also be selected from a plurality of methods known to those skilled in the art, for example, most generally, it may use near Field communication nfc (near Field communication) or other radio frequency identification (rfid) technologies, and the present invention is not limited thereto. Generally, in the embodiment of the present invention, when providing the authentication service for the bank system, the existing card swiping information in the IC card issued by the bank system may be used, for example, for an IC card adopting a static Data authentication sda (static Data authentication) authentication method, the information stored in the IC card may include the user information of the IC card to be verified, static Data, an issuer public key index, and the like, and one or more of the information stored in the IC card may be selected as the second authentication information to participate in the authentication process shown in the embodiment of the present invention.
In the above scenario, since the client obtains the first authentication information and the second authentication information through different channels, the risk that the authentication information is obtained through only a single channel is limited, and further, through the matching judgment between the first authentication information and the second authentication information in step S104, a more reliable authentication result can be obtained, thereby improving the security and reliability of the authentication system. Further, in the embodiment of the present invention, other feasible technical means known to those skilled in the art may be further combined to further improve the information security, for example, in the process of receiving the first message sent by the client by the server as described in step S102, a secure socket Layer ssl (secure socket Layer) protocol or a transport Layer security tsl (transport Layer security) protocol may be combined to improve the security and reliability of data transmission. It should be understood that similar extensions and extensions of the embodiments of the present invention are still considered to be within the scope of the present invention.
Based on the above description, according to the authentication method provided by the embodiment of the present invention, in step S104, after the first authentication information and the second authentication information are received through step S102, it may be further determined whether the first authentication information and the second authentication information are matched, and further, through step S106, in a case that the first authentication information and the second authentication information are matched, it may be determined that the authentication is successful, otherwise, it may be determined that the authentication is failed. For example, if a user loses a mobile phone and records a payment user name and a password on the mobile phone, but does not lose an IC card which is required for authentication and is bound by the user in advance and corresponds to the user name and the password, for a conventional authentication scheme, no matter a payment authentication mode is performed by directly using the user name and the password, or a payment authentication mode is performed by combining a mobile phone verification code, an actual wrong authentication result cannot be avoided, but for an authentication system adopting the authentication method of the embodiment of the present invention, even if other people find the lost mobile phone, the authentication cannot be performed by the user, which improves the security of user information and the reliability of the authentication system.
Specifically, in the embodiment of the present invention, there may be a plurality of specific manners of determining whether the first authentication information and the second authentication information are matched in step S104. Generally, in an embodiment of the present invention, the step S104 may include:
s2: searching a data record corresponding to the first authentication information in a prestored record;
s4: and if the searched data record is the same as or corresponds to the second authentication information, judging that the first authentication information is matched with the second authentication information.
For example, taking payment authentication as an example, in an embodiment, the input information of the user as the first authentication information may be a user ID of a payment line input by the user to the client, and the card swiping information as the second authentication information may be a name of a registered user stored in an IC card issued by the payment line, in step S2, the user name in the data record corresponding to the user ID may be searched in a pre-stored record, and in step S4, whether the searched user name is the same as the name stored in the IC card is compared, and if so, it may be determined that authentication is successful, otherwise, it is determined that authentication is failed.
Of course, this is merely an example and is not intended to limit the present invention. For example, in some embodiments of the present invention, it may also be determined whether the first authentication information matches the second authentication information without using the above-mentioned manner of searching for a data record and comparing, for example, a manner of performing calculation or decryption processing on the first authentication information by using an agreed operator or a key and comparing the calculated or decrypted first authentication information with the second authentication information may also be used.
Further optionally, in view of the requirement of higher security, in the embodiment of the present invention, the step S104 may further include:
s6: verifying the first authentication information and/or the second authentication information according to a preset rule;
s8: if the verification is successful, whether the first authentication information is matched with the second authentication information is judged.
That is, in the embodiment of the present invention, before determining whether the first authentication information and the second authentication information are matched, the first authentication information and/or the second authentication information may be verified, and after the verification is successful, the matching determination may be performed. As a possible verification manner, in an embodiment of the present invention, the step S6 may include:
s10: decrypting the third authentication information from the first message by using a preset key; if the decrypted third authentication information is the same as or corresponds to the first authentication information and/or the second authentication information, the first authentication information and/or the second authentication information is judged to be successfully verified; or
S12: decrypting the first authentication information and/or the second authentication information by using a preset key; and if the decrypted first authentication information and/or the decrypted second authentication information are the same as or correspond to the fourth authentication information carried in the first message, judging that the first authentication information and/or the second authentication information are successfully verified.
In this embodiment of the present invention, a manner similar to SDA authentication may be used to verify the first authentication information and/or the second authentication information, for example, taking verification of bank user information originally stored in an IC card issued by a bank as the second authentication information as an example, the bank user information may be decrypted by using an issuer public key index carried in the first message, where the specific decryption manner may be: 1) decrypting the issuer public key in the public key index according to a Certificate Authority (CA) public key in the public key index; 2) and decrypting the bank user information according to the public key of the issuer. The issuer public key index may also be regarded as a part of card swiping information as the second authentication information, that is, the third authentication information may also be included in the first or second authentication information and carried in the first message, but the present invention is not limited thereto.
Of course, this is only one of the possible ways and is not the only embodiment of the invention. For example, similarly, in the embodiment of the present invention, the first authentication information and/or the second authentication information may also be verified in a manner of dynamic Data authentication dda (dynamic Data authentication), which is not described herein again.
Further optionally, in an embodiment of the present invention, before step S104, the authentication method may further include:
s14: receiving a third message which is sent by any client side including the client side and used for requesting binding, wherein the third message carries the first authentication information and the second authentication information;
s16: and storing the first authentication information and the second authentication information acquired from the third message, and marking the stored first authentication information and the second authentication information as corresponding.
Through the method, a user can finish the binding of the first authentication information and the second authentication information on the server side through any client in advance, wherein the server can obtain and store the first authentication information and the second authentication information in the third message to the local part and mark the first authentication information and the second authentication information as corresponding information in the received third message for requesting the binding, so that the server can judge that the first authentication information and the second authentication information are matched after the first authentication information and the second authentication information are provided by the same client or another client in the subsequent use process of the user, and then the successful authentication result is returned.
Further optionally, in an embodiment of the present invention, after step S14 and before step S102, the method may further include:
s18: sending a fourth message for requesting to register the user to corresponding equipment, wherein the fourth message carries the first authentication information and/or the second authentication information;
s20: and receiving and sending the registration result returned by the corresponding equipment to the client.
In some embodiments of the present invention, the client may complete the binding at the authentication server side and the registration at the corresponding device simultaneously in one request and response, wherein in step S18, after receiving the third message for requesting the binding, the server may forward the fourth message carrying the first authentication information and/or the second authentication information and used for requesting the corresponding device to register the user to the corresponding device, and receive the registration result returned by the corresponding device in step S20, and further forward the registration result to the client, thereby completing the binding of the user registration and the authentication information together.
The technical solutions of the present invention are schematically described by the above embodiments, however, it should be understood that the specific embodiments of the present invention are not limited to the modes provided by the above embodiments. For example, the steps S18 and S20 are not necessary for the process of registering the user with the corresponding device, for example, in some embodiments of the present invention, the client may also directly interact with the corresponding device to complete registration, and then the client or the corresponding device notifies the authentication server to bind the registered user information and the card swiping information, or in other embodiments, after the server obtains authorization, the third message may not carry the indication information, but automatically continue the registration operation after receiving the binding request sent by the client, and then the server may send the first authentication information and/or the second authentication information to the corresponding device as data trusted by the corresponding device, and the corresponding device completes registration and returns the result of registration. It should be understood that the implementation of the technical solution and the achievement of the technical effect of the present invention are not affected by the similar embodiments, and the present invention is not limited thereto.
Example 2
According to an embodiment of the present invention, there is also provided a data access method, as shown in fig. 2, the method including:
s202: when a client needs to access target data, acquiring first authentication information and second authentication information corresponding to a user of the client, wherein the first authentication information comprises input information of the user, and the second authentication information comprises card swiping information of the user;
s204: sending a first message for requesting authentication of the user to the server, wherein the first message carries first authentication information and second authentication information and is used for enabling the server to return a second message for indicating successful authentication to the client when judging that the first authentication information is matched with the second authentication information;
s206: and when the second message is received, sending a message for requesting to access the target data to the corresponding device.
It should be clear that, one of the problems to be solved by the embodiments of the present invention is to provide a method for enabling a client to authenticate a user thereof, and then access target data that the user needs to access after the authentication is successful, where the target data generally belongs to protected data content, and specifically, the target data may be a web page stored on a web server, a data record stored on a database server, or other data resources stored on a corresponding device accessed to a network, and correspondingly, an operation of the user or the client accessing the target data may be embodied as logging in a website, confirming payment, or accessing resources, and the like, which is not limited in any way by the present invention.
Specifically, in the embodiment of the present invention, the client may be used to refer to a physical device that is connected to the server and requests authentication and related services from the server, such as a personal computer serving as a fixed terminal or a smart phone, a tablet computer, and the like serving as a mobile terminal, and may also be used to refer to a client application running on the physical device and a system thereof, such as a login client issued by a bank system to a user, and the like, which does not affect understanding and implementation of the technical solution of the present invention and implementation of technical effects thereof, and the present invention is not limited thereto. Correspondingly, in the embodiment of the present invention, the server may represent a physical device for providing the authentication and related services to the client and the user thereof, and the present invention also does not limit the concrete representation form of the device and the connection relationship between the device and the device outside the client.
It should be noted that, in the embodiment of the present invention, the authentication object in the above access method may be a user of the client, that is, in practical applications, the authentication process performed by the method is not limited to a specific client device or client application, and the user as the authentication object may select any feasible device or application to complete authentication.
In order to provide the above authentication function when accessing a digital home, in the existing scheme, generally, a corresponding device, such as a background server of a bank or a database server, is used to verify a combination of a user ID and a password uploaded by a client to authenticate a user, so that on one hand, the security problem possibly caused by authenticating the user locally at the client is avoided, and on the other hand, background management can be facilitated. However, in an application scenario with a high requirement on the level of security protection, it is still difficult to ensure security and reliability by relying on the combination of the user ID and the password alone, for example, there is a third-party tool that uses enumeration to crack the user ID and the password, and in a situation such as a user accidentally losing a notebook or a mobile phone recorded with the user ID and the password, the user ID and the password themselves may be revealed through various approaches. In order to solve the problem, an existing scheme adopts a mode that a corresponding device, such as a background server of a bank, sends a verification code to a mobile phone or a mailbox registered by a user through a wireless communication network and confirms that user authentication is successful after receiving the same verification code input by the user into a client, however, the mode still has potential safety hazard, that is, when the user carelessly loses the mobile phone serving as the client, if a user ID and a password for authentication are stored on the mobile phone, other people can still finish user authentication only through the mobile phone when picking up the lost mobile phone, and the authenticated user is not the registered user.
Based on the above problem, in the embodiment of the present invention, on one hand, a manner of determining whether the first authentication information and the second authentication information sent by the client are matched is adopted to authenticate the user of the client, and the target data is accessed after the authentication is successful, and on the other hand, a manner of obtaining the first authentication information and the second authentication information by the client through different information obtaining channels is adopted, specifically, the first authentication information received by the authentication server may be input information input to the client by the user, such as a user ID, a password, a two-dimensional code, a fingerprint, and the like, and the second authentication information received may be card swiping information obtained by the client through a card swiping operation of the user, such as static data stored in an IC card or a button card, and the like. Through the mode, when the user authenticates through the mobile terminal serving as the client, the card swiping information needs to be provided besides the input information, so that the safety problem of the user after the mobile terminal is lost carelessly is solved, the safety and the reliability of the authentication system are improved, and the technical problem of insufficient safety of the existing user authentication scheme and the problem of underprotection of target data caused by the problem are solved.
The technical solution and the working principle of the present invention will be described with reference to the accompanying drawings and embodiments.
According to the access method provided by the embodiment of the present invention, in step S202, when a client needs to access target data, the client may obtain first authentication information and second authentication information corresponding to a user of the client, where the first authentication information may include input information of the user, and the second authentication information may include card swiping information of the user.
In the embodiment of the present invention, the client may generally be a mobile terminal, such as a smart phone or a tablet computer, and due to the portable characteristic of the mobile terminal, a user may interact with the server through the mobile terminal as the client at any time and any place, and may complete authentication and subsequent access to target data through the mobile terminal, and further perform subsequent operations according to an authentication result and/or a data access result presented on a user interface of the mobile terminal. However, this is not meant to limit the present invention, for example, in some embodiments of the present invention, the user may also complete access to the target data through the fixed terminal, for example, in a scenario where the user performs online payment through a personal computer, the authentication of the user and the access to the related data of the payment platform may be both completed through the personal computer as the client, which does not affect the implementation of the technical solution of the present invention and the implementation of the technical effect thereof, and it should be understood that similar implementations belonging to equivalent transformations or obvious variations of the present invention should be considered to be within the scope of the present invention.
Specifically, in the embodiment of the present invention, the first authentication information may be input information of the user. Wherein the input information may comprise information content of at least one of: the input unit of the client for acquiring the input information may include at least one of the following elements: the present invention relates to a mouse, a keyboard, a touch screen, a scanner, a camera, a fingerprint sensor, a voice sensor, etc., which are not limited in any way.
Furthermore, in the embodiment of the present invention, the second authentication information may be card swiping information of the user. The card swiping information may also include a plurality of types, for example, most generally, the card swiping information may also include information content that the input information can include, but is not limited to, that the card swiping information is from an information carrier that an IC card, a button card, a radio frequency chip, and the like held by a user can "swipe" information stored in the information carrier in a wireless manner, and correspondingly, a specific communication manner used for swiping information may also be selected from a plurality of manners known to those skilled in the art, for example, most generally, NFC or other RFID technologies may be used, and the present invention is not limited in any way. Generally, in the embodiment of the present invention, when providing the authentication service for the bank system, the existing card swiping information in the IC card issued by the bank system may be used, for example, for the IC card adopting the SDA authentication method, the information stored in the IC card may include the user information of the IC card to be verified, static data, the public key index of the issuer, and the like, wherein one or more of the information stored in the IC card may be selected as the second authentication information to participate in the authentication process shown in the embodiment of the present invention.
Under the above scenario, the client acquires the first authentication information and the second authentication information through different channels, so that the risk that the authentication information is acquired only through a single channel is limited, and a more reliable authentication result can be obtained through the subsequent matching judgment of the first authentication information and the second authentication information by the server, so that the safety and the reliability of the authentication system are improved.
On the basis of the above description, according to the access method provided by the embodiment of the present invention, in step S204, a first message for requesting authentication of the user may be sent to the server, the first message may carry the first authentication information and the second authentication information, so that the server returns a second message indicating that the authentication is successful to the client when judging that the two are matched, further, through step S206, when receiving the second message, the client may send a message for requesting access to the target data to the corresponding device, wherein, the message can also carry the first authentication information and/or the second authentication information, the corresponding device may further identify the access right of the client and its user based on the first authentication message and/or the second authentication message, so that the client successfully accesses the target data.
For example, assuming that the user loses the mobile phone and a payment user name and password are recorded on the mobile phone, but an IC card corresponding to the user name and password previously bound by the user and required for authentication is not lost, for the traditional authentication scheme, no matter the payment authentication mode is directly realized by using the user name and the password, or the payment authentication mode is realized by combining the mobile phone verification code, the occurrence of actual wrong authentication results cannot be avoided, and thus, the client erroneously performs payment confirmation, however, for the authentication system employing the access method of the embodiment of the present invention, even if other people pick up the lost mobile phone, the mobile phone still can not pass the user authentication, thereby improving the safety of the user information and the reliability of the authentication system, and the safety of the payment related data serving as the target data is improved, and the safety risk of the user is reduced.
Specifically, in the embodiment of the present invention, the first message may be generally embodied as an http message, but the present invention is not limited to this, for example, in some embodiments of the present invention, the first message may also be embodied as an ftp message, or other feasible messages or messages conforming to a text transmission format, so as to allow the server to correctly identify the first message and the information content carried by the first message. Accordingly, the second message … … and the like described in the embodiments of the present invention are applicable to similar explanations, and the present invention will not be described in a repeated manner. It should be noted that the terms "first", "second", … …, etc. in the embodiments of the present invention are merely used for descriptive distinction to facilitate understanding of the present invention, and should not be construed as limiting the relationship attributes such as sequence, position, importance degree, etc. of the plurality of elements.
It should be noted that, in the embodiment of the present invention, the server for providing the authentication service may be set by a provider of the data management service, such as a banking system, where the data management service represents a data service that needs to be requested after the authentication of the client and the user thereof is successful, and the authentication server may also be provided by an operator as a third party, such as a partner of the banking system that specially provides the authentication service, where the partner may also cooperate with more than one bank or data platform and provide the authentication service for multiple parties, which is not limited by the present invention.
On the other hand, the server can provide the authentication service independently, or can provide the authentication service in combination with a distributed data management manner and a plurality of node servers together, which is related to the occupied processing resources and storage resources of the authentication service. For example, for a small-scale authentication system, the number of clients connected to the server and the number of users served by the server are relatively small, and the number of authentication information to be managed is relatively limited, so that both the storage of the authentication information and the processing of the authentication information can be completed by the same server, whereas for a large-scale authentication system, the number of clients connected to the server and the number of users served by the server are relatively large, and the number of authentication information to be managed is also large, in this case, the processing capability and storage resources that can be provided by one server are insufficient, so that the authentication service can also be provided by a distributed architecture, wherein the server directly interacting with the client may be a data warehouse server storing metadata information, and further the data warehouse server realizes the access to the authentication information stored in a plurality of data storage nodes, however, the present invention is not limited thereto.
Further, in the embodiment of the present invention, other feasible technical means known to those skilled in the art may be further combined to further improve the information security, for example, in the process of receiving the first message sent by the client by the server as described in step S202, the SSL protocol or the TSL protocol may be combined to improve the security and reliability of data transmission. It should be understood that similar extensions and extensions of the embodiments of the present invention are still considered to be within the scope of the present invention.
Specifically, in the embodiment of the present invention, there may be a plurality of specific ways for the server to determine whether the first authentication information and the second authentication information are matched. Generally, in the embodiment of the present invention, the determining operation performed by the server may include:
s22: searching a data record corresponding to the first authentication information in a prestored record;
s24: and if the searched data record is the same as or corresponds to the second authentication information, judging that the first authentication information is matched with the second authentication information.
For example, taking payment authentication as an example, in an embodiment, the input information of the user as the first authentication information may be a user ID of a payment line input by the user to the client, and the card swiping information as the second authentication information may be a name of a registered user stored in an IC card issued by the payment line, in step S2, the user name in the data record corresponding to the user ID may be searched in a pre-stored record, and in step S4, whether the searched user name is the same as the name stored in the IC card is compared, and if so, it may be determined that authentication is successful, otherwise, it is determined that authentication is failed.
Of course, this is merely an example and is not intended to limit the present invention. For example, in some embodiments of the present invention, it may also be determined whether the first authentication information matches the second authentication information without using the above-mentioned manner of searching for a data record and comparing, for example, a manner of performing calculation or decryption processing on the first authentication information by using an agreed operator or a key and comparing the calculated or decrypted first authentication information with the second authentication information may also be used.
Further optionally, in view of the requirement of higher security, in the embodiment of the present invention, the step S204 may further include:
s26: encrypting third authentication information which is the same as or corresponds to the first authentication information and/or the second authentication information by using a preset key;
s28: and sending the first message carrying the encrypted third authentication information to the server.
That is, in the embodiment of the present invention, the client may carry the third authentication information corresponding to the first authentication information and/or the second authentication information in the first message and send the third authentication information to the server, so that the server may verify the first authentication information and/or the second authentication information according to the third authentication information before determining whether the first authentication information is matched with the second authentication information, and perform the matching determination after the verification is successful. Correspondingly, as a possible authentication manner, the authentication operation performed by the server may include:
s30: decrypting the third authentication information from the first message by using a preset key; if the decrypted third authentication information is the same as or corresponds to the first authentication information and/or the second authentication information, the first authentication information and/or the second authentication information is judged to be successfully verified; or
S32: decrypting the first authentication information and/or the second authentication information by using a preset key; and if the decrypted first authentication information and/or the decrypted second authentication information are the same as or correspond to the fourth authentication information carried in the first message, judging that the first authentication information and/or the second authentication information are successfully verified.
In this embodiment of the present invention, a manner similar to SDA authentication may be used to verify the first authentication information and/or the second authentication information, for example, taking verification of bank user information originally stored in an IC card issued by a bank as the second authentication information as an example, the bank user information may be decrypted by using an issuer public key index carried in the first message, where the specific decryption manner may be: 1) decrypting the issuer public key in the public key index according to the CA public key in the public key index; 2) and decrypting the bank user information according to the public key of the issuer. The issuer public key index may also be regarded as a part of card swiping information as the second authentication information, that is, the third authentication information may also be included in the first or second authentication information and carried in the first message, but the present invention is not limited thereto.
Of course, this is only one of the possible ways and is not the only embodiment of the invention. For example, similarly, in the embodiment of the present invention, the first authentication information and/or the second authentication information may also be verified in a DDA manner, and the present invention is not described in detail herein.
Further optionally, in an embodiment of the present invention, before step S202, the accessing method may further include:
s34: any client side including the client side acquires first authentication information and second authentication information;
s36: and any client sends a third message for requesting binding to the server, wherein the third message carries the first authentication information and the second authentication information.
Through the method, a user can finish the binding of the first authentication information and the second authentication information on the server side through any client in advance, wherein the server can obtain and store the first authentication information and the second authentication information in the third message to the local after receiving the third message for requesting the binding, and mark the first authentication information and the second authentication information as corresponding, so that the server can judge that the first authentication information and the second authentication information are matched after the first authentication information and the second authentication information are provided by the same client or another client in the subsequent use process of the user, and then the successful authentication result is returned.
Further optionally, in an embodiment of the present invention, the step S36 may further include:
s38: sending a third message carrying indication information to the server, wherein the indication information is used for enabling the server to send a fourth message for requesting to register the user to corresponding equipment; wherein,
after step S36, the access method may further include:
s40: the any client receives the registration result returned by the server and/or the corresponding device.
In some embodiments of the present invention, the client may complete the binding at the authentication server side and the registration at the corresponding device at the same time in one request and response, where, through step S38, after the server may receive the third message for requesting the binding, the server forwards the fourth message carrying the first authentication information and/or the second authentication information and used for requesting the corresponding device to register the user to the corresponding device, and then receives the registration result returned by the corresponding device and forwards the registration result to the client, and then the client may receive the registration result returned by the server and/or the corresponding device through step S40, thereby completing the binding of the user registration and the authentication information together.
The technical solutions of the present invention are schematically described by the above embodiments, however, it should be understood that the specific embodiments of the present invention are not limited to the modes provided by the above embodiments. For example, the steps S38 and S40 are not necessary for the process of registering the user with the corresponding device, for example, in some embodiments of the present invention, the client may also directly interact with the corresponding device to complete registration, and then the client or the corresponding device notifies the authentication server to bind the registered user information and the card swiping information, or in other embodiments, after the server obtains authorization, the third message may not carry the indication information, but automatically continue the registration operation after receiving the binding request sent by the client, and then the server may send the first authentication information and/or the second authentication information to the corresponding device as data trusted by the corresponding device, and the corresponding device completes registration and returns the result of registration. It should be understood that the implementation of the technical solution and the achievement of the technical effect of the present invention are not affected by the similar embodiments, and the present invention is not limited thereto.
Example 3
According to an embodiment of the present invention, there is further provided a server for implementing the user authentication method according to embodiment 1, as shown in fig. 3, the server including:
1) a first receiving unit 302, configured to receive a first message that is sent by a client and used to request for authenticating a user of the client, where the first message carries first authentication information and second authentication information corresponding to the user, where the first authentication information includes input information of the user, and the second authentication information includes card swiping information of the user;
2) a judging unit 304, configured to judge whether the first authentication information matches the second authentication information;
3) a first sending unit 306, configured to send a second message indicating that the authentication is successful to the client when the first authentication information matches the second authentication information.
It should be clear that, one of the problems to be solved by the embodiments of the present invention is to provide a server, so as to authenticate a client or a user thereof, where the client may be used to refer to a physical device, such as a personal computer as a fixed terminal or a smart phone, a tablet computer, etc., as a mobile terminal, which is connected to the server and requests authentication and related services from the server, and may also be used to refer to a client application running on the physical device and the system thereof, such as a login client issued by a bank system to the user, which does not affect understanding and implementation of the technical solution of the present invention and implementation of technical effects thereof, and the present invention is not limited thereto.
It should be noted that, in the embodiment of the present invention, the object to which the authentication process is directed in a general sense may be a user of the client, that is, in practical applications, the authentication process executed by the server is not limited to a specific client device or client application, and the user as the authentication object may select any feasible device or application to complete authentication.
Further, in the embodiment of the present invention, the authentication process may be generally combined in a certain more complete operation flow, for example, the operation flow may be a complete payment process, and an authentication process needs to be added in the payment process as one of the steps, or the operation flow may also be a login process for a protected website, and an authentication process needs to be added in the login process as one of the steps, and the like. In general, the present invention does not limit the specific application environment of the server or the functional module for implementing the authentication process provided by the embodiment, and in fact, in the embodiment of the present invention, based on the interactive interface provided by the first receiving unit 302 and the first sending unit 306, the front and back execution logic adapted to the server or the functional module can be conveniently designed in the complete operation flow to utilize the authentication result obtained by the authentication process, so it should be understood that similar implementation manners based on the embodiment of the present invention should be considered as being within the protection scope of the present invention.
In order to provide the above authentication function, in the existing scheme, generally, a corresponding device, such as a background server of a bank or a database server, is used to verify a combination of a user ID and a password uploaded by a client to authenticate a user, which on one hand avoids a security problem that may be caused by authenticating the user locally at the client and on the other hand is convenient for background management. However, in an application scenario with a high requirement on the level of security protection, it is still difficult to ensure security and reliability by relying on the combination of the user ID and the password alone, for example, there is a third-party tool that uses enumeration to crack the user ID and the password, and in a situation such as a user accidentally losing a notebook or a mobile phone recorded with the user ID and the password, the user ID and the password themselves may be revealed through various approaches. In order to solve the problem, an existing scheme adopts a mode that a corresponding device, such as a background server of a bank, sends a verification code to a mobile phone or a mailbox registered by a user through a wireless communication network and confirms that user authentication is successful after receiving the same verification code input by the user into a client, however, the mode still has potential safety hazard, that is, when the user carelessly loses the mobile phone serving as the client, if a user ID and a password for authentication are stored on the mobile phone, other people can still finish user authentication only through the mobile phone when picking up the lost mobile phone, and the authenticated user is not the registered user.
Based on the above problem, in the embodiment of the present invention, on one hand, a manner of determining whether the first authentication information and the second authentication information sent by the client are matched is adopted to implement authentication of the user of the client, and on the other hand, a manner of obtaining the first authentication information and the second authentication information by the client through different information obtaining channels is adopted, specifically, the first authentication information received by the authentication server may be input information input to the client by the user, such as a user ID, a password, a two-dimensional code, a fingerprint, and the like, and the second authentication information received may be card swiping information obtained by the client through a card swiping operation of the user, such as static data stored in an IC card or a button card, and the like. Through the mode, when the user authenticates through the mobile terminal serving as the client, the card swiping information needs to be provided besides the input information, so that the safety problem of the user after the mobile terminal is lost carelessly is solved, the safety and the reliability of the authentication system are improved, and the technical problem of insufficient safety of the existing user authentication scheme is solved.
The technical solution and the working principle of the present invention will be described with reference to the accompanying drawings and embodiments.
According to the server provided by the embodiment of the present invention, through the first receiving unit 302, the authentication server may receive a first message sent by the client for requesting to authenticate the user of the client.
Generally, in the embodiment of the present invention, the server for providing the authentication service may be provided by a provider of a data management service, such as a banking system, where the data management service represents a data service that needs to be requested after the authentication of the client and the user thereof is successful, and the authentication server may also be provided by an operator as a third party, such as a partner of the banking system that specially provides the authentication service, where the partner may also cooperate with more than one bank or data platform and provide the authentication service for multiple parties, which is not limited by the present invention.
On the other hand, the server can provide the authentication service independently, or can provide the authentication service in combination with a distributed data management manner and a plurality of node servers together, which is related to the occupied processing resources and storage resources of the authentication service. For example, for a small-scale authentication system, the number of clients connected to the server and the number of users served by the server are relatively small, and the number of authentication information to be managed is relatively limited, so that both the storage of the authentication information and the processing of the authentication information can be completed by the same server, whereas for a large-scale authentication system, the number of clients connected to the server and the number of users served by the server are relatively large, and the number of authentication information to be managed is also large, in this case, the processing capability and storage resources that can be provided by one server are insufficient, so that the authentication service can also be provided by a distributed architecture, wherein the server directly interacting with the client may be a data warehouse server storing metadata information, and further the data warehouse server realizes the access to the authentication information stored in a plurality of data storage nodes, however, the present invention is not limited thereto.
On the other hand, in the embodiment of the present invention, the client may generally be a mobile terminal, such as a smart phone or a tablet computer, and due to the portable characteristic of the mobile terminal, the user may achieve the purpose of interacting with the server through the mobile terminal as the client at any time and any place, and may complete authentication and subsequent access to the target data through the mobile terminal, and then perform subsequent operations according to the authentication result and/or the data access result presented on the user interface of the mobile terminal. However, this is not meant to limit the present invention, for example, in some embodiments of the present invention, the user may also complete access to the target data through the fixed terminal, for example, in a scenario where the user performs online payment through a personal computer, the authentication of the user and the access to the related data of the payment platform may be both completed through the personal computer as the client, which does not affect the implementation of the technical solution of the present invention and the implementation of the technical effect thereof, and it should be understood that similar implementations belonging to equivalent transformations or obvious variations of the present invention should be considered to be within the scope of the present invention.
In addition, in the embodiment of the present invention, the first message may be generally embodied as an http message, but the present invention is not limited to this, for example, in some embodiments of the present invention, the first message may also be embodied as an ftp message, or other feasible messages or messages conforming to a text transmission format, so as to allow the server to correctly identify the first message and the information content carried by the first message. Accordingly, the second message … … and the like described in the embodiments of the present invention are applicable to similar explanations, and the present invention will not be described in a repeated manner. It should be noted that the terms "first", "second", … …, etc. in the embodiments of the present invention are merely used for descriptive distinction to facilitate understanding of the present invention, and should not be construed as limiting the relationship attributes such as sequence, position, importance degree, etc. of the plurality of elements.
On the basis of the above description, as described in the first receiving unit 302, the first message may carry first authentication information and second authentication information corresponding to the user, where the first authentication information may include input information of the user, and the second authentication information may include card swiping information of the user.
Specifically, in the embodiment of the present invention, the first authentication information may be input information of the user. Wherein the input information may comprise information content of at least one of: the input unit of the client for acquiring the input information may include at least one of the following elements: the present invention relates to a mouse, a keyboard, a touch screen, a scanner, a camera, a fingerprint sensor, a voice sensor, etc., which are not limited in any way.
On the other hand, in the embodiment of the present invention, the second authentication information may be card swiping information of the user. The card swiping information may also include a plurality of types, for example, most generally, the card swiping information may also include information content that the input information can include, but is not limited to, that the card swiping information is from an information carrier that an IC card, a button card, a radio frequency chip, and the like held by a user can "swipe" information stored in the information carrier in a wireless manner, and correspondingly, a specific communication manner used for swiping information may also be selected from a plurality of manners known to those skilled in the art, for example, most generally, NFC or other RFID technologies may be used, and the present invention is not limited in any way. Generally, in the embodiment of the present invention, when providing the authentication service for the bank system, the existing card swiping information in the IC card issued by the bank system may be used, for example, for the IC card adopting the SDA authentication method, the information stored in the IC card may include the user information of the IC card to be verified, static data, the public key index of the issuer, and the like, wherein one or more of the information stored in the IC card may be selected as the second authentication information to participate in the authentication process shown in the embodiment of the present invention.
In the above scenario, since the client obtains the first authentication information and the second authentication information through different channels, the risk that the authentication information is obtained through only a single channel is limited, and further, the determining unit 304 determines the matching between the first authentication information and the second authentication information, so that a more reliable authentication result can be obtained, thereby improving the security and reliability of the authentication system. Further, in the embodiment of the present invention, other feasible technical means known to those skilled in the art may be further combined to further improve the information security, for example, in the process of receiving the first message sent by the client by the server as described in the first receiving unit 302, the SSL protocol or the TSL protocol may be combined to improve the security and reliability of data transmission. It should be understood that similar extensions and extensions of the embodiments of the present invention are still considered to be within the scope of the present invention.
On the basis of the above description, according to the server provided in the embodiment of the present invention, through the determining unit 304, after the first authentication information and the second authentication information are received through the first receiving unit 302, it can be further determined whether the first authentication information matches with the second authentication information, and further through the first sending unit 306, in a case that it is determined that the first authentication information matches with the second authentication information, it can be determined that the authentication is successful, otherwise, it can be determined that the authentication is failed. For example, if a user loses a mobile phone and records a payment user name and a password on the mobile phone, but does not lose an IC card which is required for authentication and is pre-bound by the user and corresponds to the user name and the password, for a conventional authentication scheme, no matter a payment authentication mode is performed by directly using the user name and the password, or a payment authentication mode is performed by combining a mobile phone verification code, an actual wrong authentication result cannot be avoided, but for an authentication system using the server of the embodiment of the present invention, even if other people find the lost mobile phone, the user authentication cannot be passed, which improves the security of user information and the reliability of the authentication system.
Specifically, in the embodiment of the present invention, the specific manner of determining whether the first authentication information and the second authentication information match in the determining unit 304 may be various. Generally, in an embodiment of the present invention, the determining unit 304 may include:
1) the searching submodule is used for searching a data record corresponding to the first authentication information in a prestored record;
2) and the third judging submodule is used for judging that the first authentication information is matched with the second authentication information when the searched data record is the same as or corresponds to the second authentication information.
For example, taking payment authentication as an example, in an embodiment, the input information of the user as the first authentication information may be a user ID of a payment line input by the user to the client, the card swiping information as the second authentication information may be a name of a registered user stored in an IC card issued by the payment line, the search submodule may search for the user name in the data record corresponding to the user ID in the pre-stored record, and further the third judgment submodule compares whether the searched user name is the same as the name stored in the IC card, and if so, it may be determined that the authentication is successful, otherwise, it is determined that the authentication is failed.
Of course, this is merely an example and is not intended to limit the present invention. For example, in some embodiments of the present invention, it may also be determined whether the first authentication information matches the second authentication information without using the above-mentioned manner of searching for a data record and comparing, for example, a manner of performing calculation or decryption processing on the first authentication information by using an agreed operator or a key and comparing the calculated or decrypted first authentication information with the second authentication information may also be used.
Further optionally, in view of a requirement of higher security, in an embodiment of the present invention, the determining unit 304 may further include:
1) the verification module is used for verifying the first authentication information and/or the second authentication information according to a preset rule;
2) and the judging module is used for judging whether the first authentication information is matched with the second authentication information when the verification is successful.
That is, in the embodiment of the present invention, before determining whether the first authentication information and the second authentication information are matched, the first authentication information and/or the second authentication information may be verified, and after the verification is successful, the matching determination may be performed. As a feasible verification manner, in the embodiment of the present invention, the verification module may include:
1) the first decryption submodule is used for decrypting the third authentication information from the first message by using a preset key;
2) and the first judgment sub-module is used for judging that the first authentication information and/or the second authentication information are successfully verified when the decrypted third authentication information is the same as or corresponds to the first authentication information and/or the second authentication information.
Alternatively, as another possible verification method, the verification module may also include:
1) the second decryption submodule is used for decrypting the first authentication information and/or the second authentication information by using a preset secret key;
2) and the second judgment sub-module is used for judging that the first authentication information and/or the second authentication information are/is successfully verified when the decrypted first authentication information and/or the decrypted second authentication information are the same as or correspond to the fourth authentication information carried in the first message.
In this embodiment of the present invention, a manner similar to SDA authentication may be used to verify the first authentication information and/or the second authentication information, for example, taking verification of bank user information originally stored in an IC card issued by a bank as the second authentication information as an example, the bank user information may be decrypted by using an issuer public key index carried in the first message, where the specific decryption manner may be: 1) decrypting the issuer public key in the public key index according to the CA public key in the public key index; 2) and decrypting the bank user information according to the public key of the issuer. The issuer public key index may also be regarded as a part of card swiping information as the second authentication information, that is, the third authentication information may also be included in the first or second authentication information and carried in the first message, but the present invention is not limited thereto.
Of course, this is only one of the possible ways and is not the only embodiment of the invention. For example, similarly, in the embodiment of the present invention, the first authentication information and/or the second authentication information may also be verified in a DDA manner, and the present invention is not described in detail herein.
Further optionally, in an embodiment of the present invention, the server may further include:
1) the second receiving unit is used for receiving a third message which is sent by any client side including the client side and used for requesting binding, and the third message carries the first authentication information and the second authentication information;
2) and the storage unit is used for storing the first authentication information and the second authentication information acquired from the third message and marking the stored first authentication information and the second authentication information as corresponding.
Through the method, a user can finish the binding of the first authentication information and the second authentication information on the server side through any client in advance, wherein the server can obtain and store the first authentication information and the second authentication information in the third message to the local part and mark the first authentication information and the second authentication information as corresponding information in the received third message for requesting the binding, so that the server can judge that the first authentication information and the second authentication information are matched after the first authentication information and the second authentication information are provided by the same client or another client in the subsequent use process of the user, and then the successful authentication result is returned.
Further optionally, in an embodiment of the present invention, the server may further include:
1) a second sending unit, configured to send a fourth message for requesting to register the user to the corresponding device, where the fourth message carries the first authentication information and/or the second authentication information;
2) and the third receiving unit is used for receiving and sending the registration result returned by the corresponding equipment to the client.
In some embodiments of the present invention, the client may complete the binding at the authentication server side and the registration at the corresponding device simultaneously in one request and response, wherein through the second sending unit, after the server may receive the third message for requesting the binding, the server may forward the fourth message carrying the first authentication information and/or the second authentication information for requesting the corresponding device to register the user to the corresponding device, and receive the registration result returned by the corresponding device through the third receiving unit, and further forward the registration result to the client, thereby completing the binding of the user registration and the authentication information together.
The technical solutions of the present invention are schematically described by the above embodiments, however, it should be understood that the specific embodiments of the present invention are not limited to the modes provided by the above embodiments. For example, the second sending unit and the third receiving unit are not necessary for the process of registering the user with the corresponding device, for example, in some embodiments of the invention, the client may also interact directly with the corresponding device to complete the registration, then the client or the corresponding device informs the authentication server of binding the registered user information with the card swiping information, or, in other embodiments, after the server obtains the authorization, the third message may not carry the indication information, but automatically continue the registration operation after receiving the binding request sent by the client, and the server can send the first authentication information and/or the second authentication information to the corresponding equipment as the data trusted by the corresponding equipment, and the corresponding equipment completes registration and returns the registration result. It should be understood that the implementation of the technical solution and the achievement of the technical effect of the present invention are not affected by the similar embodiments, and the present invention is not limited thereto.
Example 4
According to an embodiment of the present invention, there is further provided a server for implementing the data access method according to embodiment 2, where as shown in fig. 4, the client includes:
1) a first obtaining unit 402, configured to obtain, when access to target data is required, first authentication information and second authentication information corresponding to a user of a client, where the first authentication information includes input information of the user, and the second authentication information includes card swiping information of the user;
2) a first sending unit 404, configured to send a first message used for requesting authentication of a user to a server, where the first message carries first authentication information and second authentication information, and is used to enable the server to return a second message used for indicating that authentication is successful to a client when it is determined that the first authentication information matches the second authentication information;
3) a second sending unit 406, configured to send, when receiving the second message, a message for requesting to access the target data to the corresponding device.
It should be clear that, one of the problems to be solved by the embodiments of the present invention is to provide a client, so that the client can authenticate a user of the client and then access target data that the user needs to access after the authentication is successful, where the target data generally belongs to protected data content, and specifically, the target data may be a web page stored on a web server, a data record stored on a database server, or other data resources stored on a corresponding device accessed to a network, and correspondingly, an operation of the user or the client accessing the target data may be embodied as logging in a website, confirming payment, or accessing resources, and the like, which is not limited in any way by the present invention.
Specifically, in the embodiment of the present invention, the client may be used to refer to a physical device that is connected to the server and requests authentication and related services from the server, such as a personal computer serving as a fixed terminal or a smart phone, a tablet computer, and the like serving as a mobile terminal, and may also be used to refer to a client application running on the physical device and a system thereof, such as a login client issued by a bank system to a user, and the like, which does not affect understanding and implementation of the technical solution of the present invention and implementation of technical effects thereof, and the present invention is not limited thereto. Correspondingly, in the embodiment of the present invention, the server may represent a physical device for providing the authentication and related services to the client and the user thereof, and the present invention also does not limit the concrete representation form of the device and the connection relationship between the device and the device outside the client.
It should be noted that, in the embodiment of the present invention, the authentication object of the authentication process may be a user of the client, that is, in practical applications, the authentication process executed by the client and the server is not limited to a specific client device or client application, and the user as the authentication object may select any feasible device or application to complete authentication.
In order to provide the above authentication function when accessing a digital home, in the existing scheme, generally, a corresponding device, such as a background server of a bank or a database server, is used to verify a combination of a user ID and a password uploaded by a client to authenticate a user, so that on one hand, the security problem possibly caused by authenticating the user locally at the client is avoided, and on the other hand, background management can be facilitated. However, in an application scenario with a high requirement on the level of security protection, it is still difficult to ensure security and reliability by relying on the combination of the user ID and the password alone, for example, there is a third-party tool that uses enumeration to crack the user ID and the password, and in a situation such as a user accidentally losing a notebook or a mobile phone recorded with the user ID and the password, the user ID and the password themselves may be revealed through various approaches. In order to solve the problem, an existing scheme adopts a mode that a corresponding device, such as a background server of a bank, sends a verification code to a mobile phone or a mailbox registered by a user through a wireless communication network and confirms that user authentication is successful after receiving the same verification code input by the user into a client, however, the mode still has potential safety hazard, that is, when the user carelessly loses the mobile phone serving as the client, if a user ID and a password for authentication are stored on the mobile phone, other people can still finish user authentication only through the mobile phone when picking up the lost mobile phone, and the authenticated user is not the registered user.
Based on the above problem, in the embodiment of the present invention, on one hand, a manner of determining whether the first authentication information and the second authentication information sent by the client are matched is adopted to authenticate the user of the client, and the target data is accessed after the authentication is successful, and on the other hand, a manner of obtaining the first authentication information and the second authentication information by the client through different information obtaining channels is adopted, specifically, the first authentication information received by the authentication server may be input information input to the client by the user, such as a user ID, a password, a two-dimensional code, a fingerprint, and the like, and the second authentication information received may be card swiping information obtained by the client through a card swiping operation of the user, such as static data stored in an IC card or a button card, and the like. Through the mode, when the user authenticates through the mobile terminal serving as the client, the card swiping information needs to be provided besides the input information, so that the safety problem of the user after the mobile terminal is lost carelessly is solved, the safety and the reliability of the authentication system are improved, and the technical problem of insufficient safety of the existing user authentication scheme and the problem of underprotection of target data caused by the problem are solved.
The technical solution and the working principle of the present invention will be described with reference to the accompanying drawings and embodiments.
According to the client provided by the embodiment of the present invention, in the first obtaining unit 402, when a user or the client needs to access target data, the client may obtain first authentication information and second authentication information corresponding to the user, where the first authentication information may include input information of the user, and the second authentication information may include card swiping information of the user.
In the embodiment of the present invention, the client may generally be a mobile terminal, such as a smart phone or a tablet computer, and due to the portable characteristic of the mobile terminal, a user may interact with the server through the mobile terminal as the client at any time and any place, and may complete authentication and subsequent access to target data through the mobile terminal, and further perform subsequent operations according to an authentication result and/or a data access result presented on a user interface of the mobile terminal. However, this is not meant to limit the present invention, for example, in some embodiments of the present invention, the user may also complete access to the target data through the fixed terminal, for example, in a scenario where the user performs online payment through a personal computer, the authentication of the user and the access to the related data of the payment platform may be both completed through the personal computer as the client, which does not affect the implementation of the technical solution of the present invention and the implementation of the technical effect thereof, and it should be understood that similar implementations belonging to equivalent transformations or obvious variations of the present invention should be considered to be within the scope of the present invention.
Specifically, in the embodiment of the present invention, the first authentication information may be input information of the user. Wherein the input information may comprise information content of at least one of: the input unit of the client for acquiring the input information may include at least one of the following elements: the present invention relates to a mouse, a keyboard, a touch screen, a scanner, a camera, a fingerprint sensor, a voice sensor, etc., which are not limited in any way.
Furthermore, in the embodiment of the present invention, the second authentication information may be card swiping information of the user. The card swiping information may also include a plurality of types, for example, most generally, the card swiping information may also include information content that the input information can include, but is not limited to, that the card swiping information is from an information carrier that an IC card, a button card, a radio frequency chip, and the like held by a user can "swipe" information stored in the information carrier in a wireless manner, and correspondingly, a specific communication manner used for swiping information may also be selected from a plurality of manners known to those skilled in the art, for example, most generally, NFC or other RFID technologies may be used, and the present invention is not limited in any way. Generally, in the embodiment of the present invention, when providing the authentication service for the bank system, the existing card swiping information in the IC card issued by the bank system may be used, for example, for the IC card adopting the SDA authentication method, the information stored in the IC card may include the user information of the IC card to be verified, static data, the public key index of the issuer, and the like, wherein one or more of the information stored in the IC card may be selected as the second authentication information to participate in the authentication process shown in the embodiment of the present invention.
Under the above scenario, the client acquires the first authentication information and the second authentication information through different channels, so that the risk that the authentication information is acquired only through a single channel is limited, and a more reliable authentication result can be obtained through the subsequent matching judgment of the first authentication information and the second authentication information by the server, so that the safety and the reliability of the authentication system are improved.
On the basis of the above description, according to the client provided by the embodiment of the present invention, through the first sending unit 404, a first message for requesting authentication of the user can be sent to the server, the first message may carry the first authentication information and the second authentication information, so that the server returns a second message indicating that the authentication is successful to the client when judging that the two are matched, further, the client, upon receiving the second message, may send a message requesting to access the target data to the corresponding device through the second sending unit 406, wherein, the message can also carry the first authentication information and/or the second authentication information, the corresponding device may further identify the access right of the client and its user based on the first authentication message and/or the second authentication message, so that the client successfully accesses the target data.
For example, assuming that the user loses the mobile phone and a payment user name and password are recorded on the mobile phone, but an IC card corresponding to the user name and password previously bound by the user and required for authentication is not lost, for the traditional authentication scheme, no matter the payment authentication mode is directly realized by using the user name and the password, or the payment authentication mode is realized by combining the mobile phone verification code, the occurrence of actual wrong authentication results cannot be avoided, and thus, the client erroneously performs payment confirmation, however, for the authentication system of the client employing the embodiment of the present invention, even if other people pick up the lost mobile phone, the mobile phone still can not pass the user authentication, thereby improving the safety of the user information and the reliability of the authentication system, and the safety of the payment related data serving as the target data is improved, and the safety risk of the user is reduced.
Specifically, in the embodiment of the present invention, the first message may be generally embodied as an http message, but the present invention is not limited to this, for example, in some embodiments of the present invention, the first message may also be embodied as an ftp message, or other feasible messages or messages conforming to a text transmission format, so as to allow the server to correctly identify the first message and the information content carried by the first message. Accordingly, the second message … … and the like described in the embodiments of the present invention are applicable to similar explanations, and the present invention will not be described in a repeated manner. It should be noted that the terms "first", "second", … …, etc. in the embodiments of the present invention are merely used for descriptive distinction to facilitate understanding of the present invention, and should not be construed as limiting the relationship attributes such as sequence, position, importance degree, etc. of the plurality of elements.
It should be noted that, in the embodiment of the present invention, the server for providing the authentication service may be set by a provider of the data management service, such as a banking system, where the data management service represents a data service that needs to be requested after the authentication of the client and the user thereof is successful, and the authentication server may also be provided by an operator as a third party, such as a partner of the banking system that specially provides the authentication service, where the partner may also cooperate with more than one bank or data platform and provide the authentication service for multiple parties, which is not limited by the present invention.
On the other hand, the server can provide the authentication service independently, or can provide the authentication service in combination with a distributed data management manner and a plurality of node servers together, which is related to the occupied processing resources and storage resources of the authentication service. For example, for a small-scale authentication system, the number of clients connected to the server and the number of users served by the server are relatively small, and the number of authentication information to be managed is relatively limited, so that both the storage of the authentication information and the processing of the authentication information can be completed by the same server, whereas for a large-scale authentication system, the number of clients connected to the server and the number of users served by the server are relatively large, and the number of authentication information to be managed is also large, in this case, the processing capability and storage resources that can be provided by one server are insufficient, so that the authentication service can also be provided by a distributed architecture, wherein the server directly interacting with the client may be a data warehouse server storing metadata information, and further the data warehouse server realizes the access to the authentication information stored in a plurality of data storage nodes, however, the present invention is not limited thereto.
Further, in the embodiment of the present invention, other feasible technical means known to those skilled in the art may be further combined to further improve the information security, for example, in the process of receiving the first message sent by the client by the server as described in the first obtaining unit 402, the SSL protocol or the TSL protocol may be combined to improve the security and reliability of data transmission. It should be understood that similar extensions and extensions of the embodiments of the present invention are still considered to be within the scope of the present invention.
Specifically, in the embodiment of the present invention, there may be a plurality of specific ways for the server to determine whether the first authentication information and the second authentication information are matched. Generally, in an embodiment of the present invention, the server may include:
1) the searching submodule is used for searching a data record corresponding to the first authentication information in a prestored record;
2) and the third judging submodule is used for judging that the first authentication information is matched with the second authentication information when the searched data record is the same as or corresponds to the second authentication information.
For example, taking payment authentication as an example, in an embodiment, the input information of the user as the first authentication information may be a user ID of a payment line input by the user to the client, and the card swiping information as the second authentication information may be a name of a registered user stored in an IC card issued by the payment line, in step S2, the user name in the data record corresponding to the user ID may be searched in a pre-stored record, and in step S4, whether the searched user name is the same as the name stored in the IC card is compared, and if so, it may be determined that authentication is successful, otherwise, it is determined that authentication is failed.
Of course, this is merely an example and is not intended to limit the present invention. For example, in some embodiments of the present invention, it may also be determined whether the first authentication information matches the second authentication information without using the above-mentioned manner of searching for a data record and comparing, for example, a manner of performing calculation or decryption processing on the first authentication information by using an agreed operator or a key and comparing the calculated or decrypted first authentication information with the second authentication information may also be used.
Further optionally, in view of a requirement of higher security, in an embodiment of the present invention, the first sending unit 404 may further include:
1) the encryption module is used for encrypting third authentication information which is the same as or corresponds to the first authentication information and/or the second authentication information by using a preset secret key;
2) and the second sending module is used for sending the first message carrying the encrypted third authentication information to the server.
That is, in the embodiment of the present invention, the client may carry the third authentication information corresponding to the first authentication information and/or the second authentication information in the first message and send the third authentication information to the server, so that the server may verify the first authentication information and/or the second authentication information according to the third authentication information before determining whether the first authentication information is matched with the second authentication information, and perform the matching determination after the verification is successful. Correspondingly, as a possible authentication method, the server in data connection with the client may include:
1) the first decryption submodule is used for decrypting the third authentication information from the first message by using a preset key;
2) and the first judgment sub-module is used for judging that the first authentication information and/or the second authentication information are successfully verified when the decrypted third authentication information is the same as or corresponds to the first authentication information and/or the second authentication information.
Alternatively, as another possible authentication method, the server may also include:
1) the second decryption submodule is used for decrypting the first authentication information and/or the second authentication information by using a preset secret key;
2) and the second judgment sub-module is used for judging that the first authentication information and/or the second authentication information are/is successfully verified when the decrypted first authentication information and/or the decrypted second authentication information are the same as or correspond to the fourth authentication information carried in the first message.
In this embodiment of the present invention, a manner similar to SDA authentication may be used to verify the first authentication information and/or the second authentication information, for example, taking verification of bank user information originally stored in an IC card issued by a bank as the second authentication information as an example, the bank user information may be decrypted by using an issuer public key index carried in the first message, where the specific decryption manner may be: 1) decrypting the issuer public key in the public key index according to the CA public key in the public key index; 2) and decrypting the bank user information according to the public key of the issuer. The issuer public key index may also be regarded as a part of card swiping information as the second authentication information, that is, the third authentication information may also be included in the first or second authentication information and carried in the first message, but the present invention is not limited thereto.
Of course, this is only one of the possible ways and is not the only embodiment of the invention. For example, similarly, in the embodiment of the present invention, the first authentication information and/or the second authentication information may also be verified in a DDA manner, and the present invention is not described in detail herein.
Further optionally, in this embodiment of the present invention, before the first obtaining unit 402, the client may further include:
1) a second acquisition unit configured to acquire the first authentication information and the second authentication information in advance;
2) and a third sending unit, configured to send a third message for requesting binding to the server, where the third message carries the first authentication information and the second authentication information.
Through the method, a user can finish the binding of the first authentication information and the second authentication information on the server side through any client in advance, wherein the server can obtain and store the first authentication information and the second authentication information in the third message to the local after receiving the third message for requesting the binding, and mark the first authentication information and the second authentication information as corresponding, so that the server can judge that the first authentication information and the second authentication information are matched after the first authentication information and the second authentication information are provided by the same client or another client in the subsequent use process of the user, and then the successful authentication result is returned.
Further optionally, in this embodiment of the present invention, the third sending unit may further include:
1) the first sending module is used for sending a third message carrying indication information to the server, wherein the indication information is used for enabling the server to send a fourth message for requesting to register a user to the corresponding equipment; wherein,
the client may further include:
1) and the receiving unit is used for receiving the registration result returned by the server and/or the corresponding equipment.
In some embodiments of the present invention, the client may complete binding on the authentication server side and registration on the corresponding device simultaneously in one request and response, wherein, after receiving the third message requesting binding, the server may forward, to the corresponding device, a fourth message carrying the first authentication information and/or the second authentication information and requesting registration of the user to the corresponding device, and then receive and forward to the client the registration result returned by the corresponding device, and then the client may receive the registration result returned by the server and/or the corresponding device through the receiving unit, thereby completing binding of user registration and authentication information together.
The technical solutions of the present invention are schematically described by the above embodiments, however, it should be understood that the specific embodiments of the present invention are not limited to the modes provided by the above embodiments. For example, for a process of registering a user with a corresponding device, the first sending module and the receiving unit are not necessary, for example, in some embodiments of the present invention, the client may also directly interact with the corresponding device to complete registration, and then the client or the corresponding device notifies the authentication server to bind the registered user information and the card swiping information, or in other embodiments, after the server obtains authorization, the third message may also not carry the indication information, but automatically continue to perform the registration operation after receiving the binding request sent by the client, and then the server may send the first authentication information and/or the second authentication information to the corresponding device as data trusted by the corresponding device, and the corresponding device completes registration and returns a result of registration. It should be understood that the implementation of the technical solution and the achievement of the technical effect of the present invention are not affected by the similar embodiments, and the present invention is not limited thereto.
Example 5
According to an embodiment of the present invention, there is also provided an authentication system, as shown in fig. 5, the system including:
1) the server of embodiment 3;
2) one or more clients as described in embodiment 4 have a data connection with the server.
In this embodiment of the present invention, when one or more of the clients 504, 506, and 508 needs to access the target data, the server 502 may send a first message requesting authentication of the respective user to the server 502, and then the server 502 may authenticate the user of the client 504 by determining matching between the first authentication information and the second authentication information in the first message received from the client 504, and return an authentication result to the client 504 after the authentication is successful, so that the client 504 successfully accesses the target data, and may complete authentication processing of the respective users of the servers 506 and 508 in a similar processing manner.
Further, to facilitate the management and processing efficiency of the server 502 responding to the first message from multiple clients, the authentication requests from multiple clients and the previous and subsequent authentication requests from the same client may be distinguished by the session identification code, wherein each of the different authentication requests is assigned with a unique session identification code so as to avoid an error response.
Further, in the embodiment of the present invention, the system may further include a server 510, and the server 510 may be a data server for managing target data to be distinguished from the server 502 for providing the authentication service. It should be noted that the present invention is not limited in any way to the specific form of the servers 502 and 510 and the clients 504, 506, and 508, and should be understood as any device having the above-mentioned functions.
Therefore, in the embodiment of the present invention, on one hand, the method of determining whether the first authentication information and the second authentication information sent by the client are matched is used to authenticate the user of the client, and the target data is accessed after the authentication is successful, and on the other hand, the method of obtaining the first authentication information and the second authentication information by the client through different information obtaining channels is used, specifically, the first authentication information received by the authentication server may be input information input to the client by the user, such as a user ID, a password, a two-dimensional code, a fingerprint, and the like, and the second authentication information received may be card swiping information obtained by the client through a card swiping operation of the user, such as static data stored in an IC card or a button card. Through the mode, when the user authenticates through the mobile terminal serving as the client, the card swiping information needs to be provided besides the input information, so that the safety problem of the user after the mobile terminal is lost carelessly is solved, the safety and the reliability of the authentication system are improved, and the technical problem of insufficient safety of the existing user authentication scheme and the problem of underprotection of target data caused by the problem are solved.
The above-described authentication system and the server, client and interaction process thereof in the system will be described in detail below with reference to fig. 6 and a more specific embodiment.
As shown in fig. 6, in this embodiment, a mobile banking application may be run in an operating system of a smart phone used by a user, and the mobile banking application may be used for interacting with an auxiliary authentication front-end for providing an authentication service, and may also interact with a mobile banking background for providing a data access service, so that the user may complete an access process of authentication and payment related data through the mobile banking application, that is, complete mobile payment. The mobile banking application can run on a smart phone serving as a client, the auxiliary authentication front-end can be maintained on a server provided by a third party, and the mobile banking background can be maintained on a mobile banking background provided by a bank. The financial IC card shown in fig. 6 may be provided by the bank, and the IC card and the mobile banking background may directly use the existing financial IC card and the mobile banking background currently used by the issuer thereof, respectively.
Specifically, in this embodiment, when the user wants to complete payment through the smartphone, the specific interaction process between each device and each application running on the device may be implemented through the following procedures:
s602: the mobile banking application acquires the login information of the mobile banking background input by the user and prompts the user to swipe a card;
s604: the user selects to read the card record in the mobile banking application, so that the smart phone reads the card information in the financial IC card;
s606: the mobile phone reads card Verification management CVM (card Verification management) information, an issuing bank public key index and data participating in SDA (security architecture) from a financial IC (integrated circuit) card close to the smart phone by utilizing an NFC (near field communication) function;
s608: the mobile banking application sends login information input by a user and SDA data obtained by reading a card to the auxiliary authentication front end;
s610: the auxiliary authentication preposition verifies the SDA data and acquires the card number in the SDA data after the verification is successful;
s612: judging whether the card number is the card number bound when the user registers according to the login information, if so, successfully authenticating, and otherwise, failing to authenticate;
s614: the auxiliary authentication preposition returns an authentication result to the mobile banking application;
s616: the mobile banking application judges whether the financial IC card supports DDA according to the CVM information, if so, the step S618 is skipped to, and if not, the step S628 is skipped to;
s618: requesting DDA authentication from a financial IC card;
s620: the mobile phone reads authentication data participating in DDA from the IC card by utilizing the NFC function;
s622: the mobile banking application uploads the authentication data to the auxiliary authentication front end;
s624: the auxiliary authentication preposition decrypts the IC card certificate according to the card issuing bank certificate and verifies DDA authentication data;
s626: the auxiliary authentication preposition returns a DDA authentication result to the mobile banking application;
s628: if the authentication result is successful, sending login information to the mobile phone bank background;
s630: and the mobile phone bank background returns a login response result to the mobile phone bank application.
The present invention is further explained by providing some preferred embodiments, but it should be noted that the preferred embodiments are only for better describing the present invention and are not to be construed as unduly limiting the present invention.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.